search

jenkinsci / azure-vm-agents-plugin

This repo is for azure vm agents plugin for jenkins. Azure devops CICD is the team which owns it for now
https://plugins.jenkins.io/azure-vm-agents/
43 stars 97 forks source link

Authentication with self-signed certificate on service principal does not work #483

Closed flyingpizza closed 9 months ago

flyingpizza commented 9 months ago

Jenkins and plugins versions report

Environment ```text Jenkins: 2.387.3.5 OS: Linux - 3.10.0-1160.102.1.el7.x86_64 Java: 11.0.20 - Red Hat, Inc. (OpenJDK 64-Bit Server VM) --- BlazeMeterJenkinsPlugin:4.18-SNAPSHOT (private-b11f06cd-lnv148) JiraTestResultReporter:185.v749342e01ce4 Parameterized-Remote-Trigger:3.1.1 TestComplete:2.8.1 ace-editor:1.1 allure-jenkins-plugin:2.29.0 amazon-ecr:1.114.vfd22430621f5 amazon-ecs:1.48 analysis-core:1.92 analysis-model-api:11.1.0 android-lint:2.3 ansicolor:1.0.1 ant:487.vd79d090d4ea_e antisamy-markup-formatter:159.v25b_c67cd35fb_ apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 artifactory:3.16.2 async-http-client:1.7.24.3 authentication-tokens:1.53.v1c90fd9191a_b_ aws-codebuild:0.42 aws-codepipeline:0.38 aws-credentials:191.vcb_f183ce58b_9 aws-java-sdk:1.12.406-374.v4cdf53953691 aws-java-sdk-cloudformation:1.12.406-374.v4cdf53953691 aws-java-sdk-codebuild:1.12.406-374.v4cdf53953691 aws-java-sdk-ec2:1.12.406-374.v4cdf53953691 aws-java-sdk-ecr:1.12.406-374.v4cdf53953691 aws-java-sdk-ecs:1.12.406-374.v4cdf53953691 aws-java-sdk-efs:1.12.406-374.v4cdf53953691 aws-java-sdk-elasticbeanstalk:1.12.406-374.v4cdf53953691 aws-java-sdk-iam:1.12.406-374.v4cdf53953691 aws-java-sdk-logs:1.12.406-374.v4cdf53953691 aws-java-sdk-minimal:1.12.406-374.v4cdf53953691 aws-java-sdk-sns:1.12.406-374.v4cdf53953691 aws-java-sdk-sqs:1.12.406-374.v4cdf53953691 aws-java-sdk-ssm:1.12.406-374.v4cdf53953691 aws-lambda:0.5.10 aws-sam:1.2.5 azure-credentials:293.vb_d506148f506 azure-sdk:132.v62b_48eb_6f32f azure-vm-agents:883.v63c930b_025dc badge:1.9.1 basic-branch-build-strategies:1.3.2 blackduck-detect:7.0.0 blueocean:1.27.3 blueocean-autofavorite:1.2.5 blueocean-bitbucket-pipeline:1.27.3 blueocean-commons:1.27.5.1 blueocean-config:1.27.3 blueocean-core-js:1.27.5.1 blueocean-dashboard:1.27.3 blueocean-display-url:2.4.1 blueocean-events:1.27.3 blueocean-git-pipeline:1.27.3 blueocean-github-pipeline:1.27.3 blueocean-i18n:1.27.3 blueocean-jira:1.25.5 blueocean-jwt:1.27.3 blueocean-personalization:1.27.3 blueocean-pipeline-api-impl:1.27.3 blueocean-pipeline-editor:1.27.3 blueocean-pipeline-scm-api:1.27.3 blueocean-rest:1.27.5.1 blueocean-rest-impl:1.27.3 blueocean-web:1.27.5.1 bootstrap4-api:4.6.0-5 bootstrap5-api:5.2.2-2 bouncycastle-api:2.27 branch-api:2.1128.v717130d4f816 build-failure-analyzer:2.4.0 build-monitor-plugin:1.13+build.202204241251 build-pipeline-plugin:1.5.8 build-timeout:1.21 build-user-vars-plugin:1.9 build-view-column:0.3 build-with-parameters:1.6 caffeine-api:3.1.8-133.v17b_1ff2e0599 checkmarx:8.42.0 checks-api:2.0.0 checkstyle:3.49 cloud-stats:320.v96b_65297a_4b_b_ cloudbees-aborted-builds:1.19 cloudbees-administrative-monitors:1.0.11 cloudbees-analytics:1.47 cloudbees-assurance:2.276.0.28 cloudbees-aws-cli:1.5.20 cloudbees-aws-deployer:1.21 cloudbees-bitbucket-branch-source:800.va_b_b_9a_a_5035c1 cloudbees-blueocean-default-theme:0.8 cloudbees-casc-client:1.73 cloudbees-casc-items-api:2.16 cloudbees-casc-items-commons:2.16 cloudbees-casc-items-controller:2.16 cloudbees-consolidated-build-view:1.6.1 cloudbees-even-scheduler:3.13 cloudbees-folder:6.815.v0dd5a_cb_40e0e cloudbees-folders-plus:3.29 cloudbees-groovy-view:1.14 cloudbees-ha:4.41 cloudbees-jenkins-advisor:336.v4d00382fe22c cloudbees-jsync-archiver:5.23 cloudbees-label-throttling-plugin:3.9 cloudbees-license:9.72 cloudbees-long-running-build:1.18 cloudbees-monitoring:2.16 cloudbees-nodes-plus:1.25 cloudbees-pipeline-policies:1.9 cloudbees-platform-common:1.19 cloudbees-platform-data:1.33 cloudbees-plugin-usage:2.17 cloudbees-quiet-start:1.8 cloudbees-request-filter:1.7 cloudbees-ssh-slaves:2.19 cloudbees-support:3.31 cloudbees-template:4.59 cloudbees-uc-data-api:4.56 cloudbees-unified-ui:1.24 cloudbees-view-creation-filter:1.9 cloudbees-wasted-minutes-tracker:3.8 cloudbees-workflow-template:3.20 cloudbees-workflow-ui:2.10 cloudify:1.0.11 clover:4.12.1 cobertura:1.17 code-coverage-api:3.5.0 codedeploy:1.21 command-launcher:90.v669d7ccb_7c31 commons-lang3-api:3.13.0-62.v7d18e55f51e2 commons-text-api:1.10.0-78.v3e7b_ea_d5a_fe1 concurrent-step:1.0.0 conditional-buildstep:1.4.2 config-file-provider:3.11.1 configuration-as-code:1700.v6f448841296e confluence-publisher:156.vf3597ca_9cf27 copyartifact:686.v6fd37018d7c2 cors-filter:1.1 credentials:1271.v54b_1c2c6388a_ credentials-binding:636.v55f1275c7b_27 cucumber-reports:5.5.0 dark-theme:336.v02165cd8c2ee dashboard-view:2.472.v9ff2a_e6a_c529 data-tables-api:1.13.3-3 datadog:3.4.1 datatheorem-mobile-app-security:2.4.1 deployed-on-column:1.9 deployer-framework:86.v7b_a_4a_55b_f3ec disable-github-multibranch-status:1.2 disconnect-plugin:1.1 display-url-api:2.3.7 docker-build-publish:1.3.3 docker-commons:419.v8e3cd84ef49c docker-java-api:3.2.13-37.vf3411c9828b9 docker-traceability:1.2 docker-workflow:563.vd5d2e5c4007f dockerhub-notification:2.6.3 downstream-build-cache:1.7 dtkit-api:3.0.0 durable-task:523.va_a_22cf15d5e0 ec2:2.0.6 ec2-fleet:2.5.0 echarts-api:5.4.0-3 email-ext:2.96.1 embeddable-build-status:2.0.4 envinject:2.4.0 envinject-api:1.199.v3ce31253ed13 extended-choice-parameter:0.78 external-monitor-job:192.ve979ca_8b_3ccd favorite:2.4.1 file-leak-detector:1.9 file-parameters:205.vf6ce13b_e5dee findbugs:4.71 font-awesome-api:6.3.0-2 forensics-api:2.1.0 gcloud-sdk:0.0.3 generic-webhook-trigger:1.84.2 ghprb:1.42.2 git:5.0.0 git-client:4.5.0 git-server:99.va_0826a_b_cdfa_d git-validated-merge:3.34 github:1.37.0 github-api:1.303-417.ve35d9dd78549 github-branch-source:1703.vd5a_2b_29c6cdc github-checks:1.0.18 github-pr-comment-build:61.v49f749d31d98 github-pull-request-build:1.15 github-pullrequest:0.4.0 gitlab-api:5.1.0-84.v491924123a_f7 gitlab-branch-source:650.va_d1ce6d01959 google-oauth-plugin:1.0.8 gradle:2.4 groovy-postbuild:2.5 h2-api:1.4.199 handlebars:3.0.8 handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 hashicorp-vault-plugin:336.v182c0fbaaeb7 hockeyapp:1.2.2 htmlpublisher:1.31 http_request:1.15 influxdb:3.3 infradna-backup:3.38.64 instance-identity:142.v04572ca_5b_265 ionicons-api:56.v1b_1c8c49374e ivy:2.2 jackson2-api:2.15.2-350.v0c2f3f8fc595 jacoco:3.3.3 jakarta-activation-api:2.0.1-3 jakarta-mail-api:2.0.1-3 javadoc:233.vdc1a_ec702cff javax-activation-api:1.2.0-6 javax-mail-api:1.6.2-9 jaxb:2.3.8-1 jdk-tool:63.v62d2fd4b_4793 jenkins-build-metrics:5.8 jenkins-design-language:1.27.5.1 jersey2-api:2.37-1 jira:3.7.1 jira-steps:2.0.165.v8846cf59f3db jjwt-api:0.11.5-77.v646c772fddb_0 jnr-posix-api:3.1.7-3 job-dsl:1.79 jobConfigHistory:1166.vc9f255f45b_8a jquery:1.12.4-1 jquery-detached:1.2.1 jquery3-api:3.6.4-1 jsch:0.2.8-65.v052c39de79b_2 junit:1198.ve38db_d1b_c975 keeper-secrets-manager:1.0-79.v401df8db86b3 kube-agent-management:1.1.59 kubernetes:3910.ve59cec5e33ea_ kubernetes-client-api:6.4.1-215.v2ed17097a_8e9 kubernetes-credentials:0.10.0 ldap:671.673.vc045dcdd856b_ loadrunner-cloud:5.0.3-322.vc3428feb_0cd1 localization-support:1.2 lockable-resources:2.15 log-parser:2.2 mac:1.5.0 mailer:463.vedf8358e006b_ mapdb-api:1.0.9-28.vf251ce40855d mask-passwords:3.1 matrix-auth:3.1.6 matrix-project:785.v06b_7f47b_c631 maven-plugin:3.20 mercurial:2.16.2 metrics:4.2.13-420.vea_2f17932dd6 mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_ mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_ mina-sshd-api-scp:2.9.2-62.v199162f0a_2f8 mina-sshd-api-sftp:2.9.2-62.v199162f0a_2f8 momentjs:1.1.1 monitoring:1.91.0 mstest:1.0.0 mstestrunner:1.5.0 nectar-license:8.41 nectar-rbac:5.80 nectar-vmware:4.3.9 new-relic:1.0.4 next-build-number:1.8 node-iterator-api:49.v58a_8b_35f8363 nodelabelparameter:1.10.3.1 notification-api:1.9 oauth-credentials:0.5 oic-auth:2.6 okhttp-api:4.10.0-132.v7a_7b_91cef39c openid4java:0.9.8.0 opentelemetry:2.13.0 operations-center-agent:2.387.0.2 operations-center-analytics-config:2.222.0.1 operations-center-analytics-reporter:2.222.0.1 operations-center-client:2.387.0.2 operations-center-cloud:2.387.0.3 operations-center-context:2.387.0.2 operations-center-notification:1.5 pam-auth:1.10 parameter-separator:1.3 parameterized-scheduler:1.0 parameterized-trigger:2.45 performance:3.20 pipeline-aws:1.43 pipeline-build-step:488.v8993df156e8d pipeline-event-step:1.13 pipeline-github:2.8-138.d766e30bb08b pipeline-githubnotify-step:1.0.5 pipeline-graph-analysis:202.va_d268e64deb_3 pipeline-groovy-lib:689.veec561a_dee13 pipeline-input-step:477.v339683a_8d55e pipeline-maven:3.8.3 pipeline-milestone-step:111.v449306f708b_7 pipeline-model-api:2.2144.v077a_d1928a_40 pipeline-model-declarative-agent:1.1.1 pipeline-model-definition:2.2144.v077a_d1928a_40 pipeline-model-extensions:2.2144.v077a_d1928a_40 pipeline-rest-api:2.32 pipeline-stage-step:305.ve96d0205c1c6 pipeline-stage-tags-metadata:2.2144.v077a_d1928a_40 pipeline-stage-view:2.32 pipeline-utility-steps:2.13.2 plain-credentials:143.v1b_df8b_d3b_e48 plugin-util-api:3.2.0 pmd:3.47 popper-api:1.16.1-3 popper2-api:2.11.6-2 postbuildscript:2.7.0 prism-api:1.29.0-4 promoted-builds:878.v12d3f7937690 publish-over:0.22 publish-over-ssh:1.22 pubsub-light:1.17 rebuild:1.34 remote-file:1.23 resource-disposer:0.17 role-strategy:3.2.0 run-condition:1.5 saml:4.385.v4dea_91565e9d sauce-ondemand:1.202 scm-api:676.v886669a_199a_a_ scmskip:1.0.3 script-security:1275.v23895f409fb_d sidebar-link:1.11.0 sitemonitor:0.6 skip-plugin:4.15 slack:631.v40deea_40323b snakeyaml-api:2.2-111.vc6598e30cc65 sonar:2.15 splunk-devops:1.9.7 splunk-devops-extend:1.9.7 sse-gateway:1.26 ssh-agent:327.v230ecd01f86f ssh-credentials:308.ve4497b_ccd8f4 ssh-slaves:2.877.v365f5eb_a_b_eec sshd:3.275.v9e17c10f2571 stoplightio-report:2.2.5 structs:325.vcb_307d2a_2782 support-core:1356.vd0f980edfa_46 suppress-stack-trace:1.6 swarm:3.34 test-results-analyzer:0.3.5 testflo-for-jira-test-management-automation:1.3.0 testng-plugin:555.va0d5f66521e3 theme-manager:211.vef2a_42c645a_b_ throttle-concurrents:2.8 timestamper:1.24 token-macro:321.vd7cc1f2a_52c8 trilead-api:2.84.v72119de229b_7 uipath-automation-package:3.0 unique-id:2.101.v21a_b_6390a_b_04 uno-choice:2.5.7 user-activity-monitoring:1.9 valgrind:0.28 variant:59.vf075fe829ccb versioncolumn:2.2 versionnumber:1.1 vstestrunner:1.0.8 warnings-ng:10.1.0 wikitext:3.15 windows-slaves:1.8.1 workflow-aggregator:596.v8c21c963d92d workflow-api:1281.vca_5fddb_3fceb_ workflow-basic-steps:1042.ve7b_140c4a_e0c workflow-cps:3791.va_c0338ea_b_59c workflow-cps-checkpoint:2.14 workflow-cps-global-lib:588.v576c103a_ff86 workflow-durable-task-step:1289.v4d3e7b_01546b_ workflow-job:1326.ve643e00e9220 workflow-multibranch:756.v891d88f2cd46 workflow-scm-step:415.v434365564324 workflow-step-api:639.v6eca_cd8c04a_a_ workflow-support:865.v43e78cc44e0d ws-cleanup:0.42 xray-connector:2.6.1 xunit:2.4.0 xvfb:1.1.3 yet-another-build-visualizer:1.15 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Not aware of that, as an admin team had configured jenkins for me.

Reproduction steps

Step 1: Create a self-signed certificate and add it to an Azure application. Step 2: Add the PFX certificate to Jenkins credentials. Step 3: Create a new Azure service principal using the created certificate. Step 4: Attempt to verify the service principal in Jenkins.

Expected Results

The service principal should be verified without any issues.

Actual Results

com.microsoft.azure.util.AzureCredentials$ValidationException: Error: The selected Certificate was not found.
    at com.microsoft.azure.util.AzureCredentials$ServicePrincipal.validate(AzureCredentials.java:372)
Caused: com.microsoft.azure.util.AzureCredentials$ValidationException: The provided credentials are not valid: Error: The selected Certificate was not found.
    at com.microsoft.azure.util.AzureCredentials$ServicePrincipal.validate(AzureCredentials.java:409)
    at com.microsoft.azure.util.AzureCredentials$DescriptorImpl.doVerifyConfiguration(AzureCredentials.java:790)
    at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
    at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397)
    at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:409)
    at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:207)

Anything else?

Please note that the same service principal works when secrets are used instead of certificates. The issue seems to be specific to the use of certificates. I hope this helps! If you need anything else, feel free to ask.

Are you interested in contributing a fix?

No response

timja commented 9 months ago

Duplicate of https://github.com/jenkinsci/azure-vm-agents-plugin/issues/282

and yes client secrets work just fine